Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improve authentication documentation #2737

Merged
merged 27 commits into from
Jun 5, 2023
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Minor tweaks
  • Loading branch information
AlekSi committed Jun 5, 2023
commit 9d2337c7fa3dc42b545b6a83df53ff547be4c46f
11 changes: 5 additions & 6 deletions website/docs/security/authentication.md
Original file line number Diff line number Diff line change
Expand Up @@ -17,8 +17,6 @@ the use of [TLS](../security/tls.md) is highly recommended.

## PostgreSQL backend with default username and password

PostgreSQL server may start with default username and password.

In following examples, default username and password are specified in FerretDB's connection string `user1:pass1`.
Ensure `user1` is a PostgreSQL user with necessary
[privileges](https://www.postgresql.org/docs/current/sql-grant.html).
Expand Down Expand Up @@ -49,7 +47,7 @@ mongosh 'mongodb://user2:pass2@127.0.0.1/ferretdb?authMechanism=PLAIN'

For Docker, specify `FERRETDB_POSTGRESQL_URL` with default username and password.

```yml
```yaml
services:
postgres:
image: postgres
Expand Down Expand Up @@ -84,12 +82,13 @@ Use following command to run `mongosh` inside the temporary MongoDB container,
attached to the same Docker network.

```sh
docker run --rm -it --network=ferretdb --entrypoint=mongosh mongo 'mongodb://ferretdb/ferretdb'
docker run --rm -it --network=ferretdb --entrypoint=mongosh \
mongo 'mongodb://ferretdb/ferretdb'
```

A client that specify username and password in MongoDB URI as below is authenticated as `user2`.

```sh
docker run --rm -it --network=ferretdb --entrypoint=mongosh mongo \
'mongodb://user2:pass2@ferretdb/ferretdb?authMechanism=PLAIN'
docker run --rm -it --network=ferretdb --entrypoint=mongosh \
mongo 'mongodb://user2:pass2@ferretdb/ferretdb?authMechanism=PLAIN'
```
27 changes: 12 additions & 15 deletions website/docs/security/tls.md
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ In following examples, FerretDB uses TLS certificates to secure the connection.
Example certificates are found in [build/certs](https://github.com/FerretDB/FerretDB/tree/main/build/certs).
The `ferretdb` server uses TLS server certificate file, TLS private key file and root CA certificate file.

```console
```text
server-certs/
├── rootCA-cert.pem
├── server-cert.pem
Expand All @@ -40,7 +40,7 @@ server-certs/

The client uses TLS client certificate file and root CA certificate file.

```console
```text
client-certs/
├── client.pem
└── rootCA-cert.pem
Expand All @@ -53,11 +53,11 @@ Be sure to check that `server-certs` directory and files are present.

```sh
ferretdb \
--postgresql-url=postgres://localhost:5432/ferretdb \
--listen-tls=:27018 \
--listen-tls-cert-file=./server-certs/server-cert.pem \
--listen-tls-key-file=./server-certs/server-key.pem \
--listen-tls-ca-file=./server-certs/rootCA-cert.pem
--postgresql-url=postgres://localhost:5432/ferretdb \
--listen-tls=:27018 \
--listen-tls-cert-file=./server-certs/server-cert.pem \
--listen-tls-key-file=./server-certs/server-key.pem \
--listen-tls-ca-file=./server-certs/rootCA-cert.pem
```

Using `mongosh`, a client connects to ferretdb as `user2` using TLS certificates in `client-certs` directory.
Expand All @@ -73,7 +73,7 @@ For using Docker to run `ferretdb` server, `docker-compose.yml` example for TLS
The Docker host requires certificates `server-certs` directory,
and volume is mounted from `./server-certs` of Docker host to `/etc/certs` of Docker container.

```yml
```yaml
services:
postgres:
image: postgres
Expand Down Expand Up @@ -114,11 +114,8 @@ It uses Docker volume to mount `./clients-certs` of Docker host to `/clients` Do

```sh
docker run --rm -it \
--network=ferretdb \
--volume ./client-certs:/clients \
--entrypoint=mongosh mongo \
'mongodb://user2:pass2@host.docker.internal:27018/ferretdb?authMechanism=PLAIN&tls=true&tlsCertificateKeyFile=/clients/client.pem&tlsCaFile=/clients/rootCA-cert.pem'
--network=ferretdb \
--volume ./client-certs:/clients \
--entrypoint=mongosh \
mongo 'mongodb://user2:pass2@host.docker.internal:27018/ferretdb?authMechanism=PLAIN&tls=true&tlsCertificateKeyFile=/clients/client.pem&tlsCaFile=/clients/rootCA-cert.pem'
```

Note that MongoDB URI uses `host.docker.internal` host in above, because it
needs to match certificate's [altnames](https://github.com/FerretDB/FerretDB/blob/main/build/certs/Makefile).